CVE-2019-6804

MEDIUM

Rundeck < 3.0.13 - Stored Cross-Site Scripting in Job Edit Page

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-6804. PoCs published by Ishaq Mohammed.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in Rundeck Community Edition before 3.0.13. The vulnerability allows JavaScript injection in the Arguments, Invocation String, and File Extension fields, which is rendered in the Execution Preview.

Description

An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascripts/workflowStepEditorKO.js and views/execution/_wfitemEdit.gsp.

Exploits (1)

exploitdb WRITEUP

by Ishaq Mohammed · textwebappsjava

https://www.exploit-db.com/exploits/46251

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in Rundeck Community Edition before 3.0.13. The vulnerability allows JavaScript injection in the Arguments, Invocation String, and File Extension fields, which is rendered in the Execution Preview.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Rundeck Community Edition before 3.0.13

Auth required

Prerequisites: Valid credentials to login to Rundeck Server · Access to a project and job edit form

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://github.com/rundeck/rundeck/issues/4406

Release Notes, Vendor Advisory x_refsource_misc

https://docs.rundeck.com/docs/history/version-3.0.13.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46251/

Scores

CVSS v3 6.1

EPSS 0.0862

EPSS Percentile 92.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

org.rundeck/rundeck 0 - 3.0.13Maven

pagerduty/rundeck < 3.0.13

Published Jan 25, 2019

Tracked Since Feb 18, 2026